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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 

All claims being allowable, PROSECUTION ON THE MERITS IS (OR REMAINS) CLOSED in this application. If not included 
herewith (or previously mailed), a Notice of Allowance (PTOL-85) or other appropriate communication will be mailed in due course. THIS 
NOTICE OF ALLOWABILITY IS NOT A GRANT OF PATENT RIGHTS. This application is subject to withdrawal from issue at the initiative 
of the Office or upon petition by the applicant. See 37 CFR 1.313 and MPEP 1308. 
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3. □ Copies of the certified copies of the priority documents have been received in this national stage application from the 

International Bureau (PCT Rule 17.2(a)). 
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Applicant has THREE MONTHS FROM THE "MAILING DATE" of this communication to file a reply complying with the requirements 
noted below. Failure to timely comply will result in ABANDONMENT of this application. 
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Paper No./Mail Date . 
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EXAMINER'S AMENDMENT 

An examiner's amendment to the record appears below. Should the changes and/or 
additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 
1.312. To ensure consideration of such an amendment, it MUST be submitted no later than 
the payment of the issue fee. 

Authorization for an examiner's amendment was given in a telephone interview with 
Edward Van Gieson on 8/20/08. 

However, the Examiner has made several minor changes to the draft claims submitted 
by Edward Van Gieson (by way of facsimile on 8/21/08). Such as to amend numerous 
instances of the word "the" to "said" in the claims in order to remain consistent with 
terminology throughout the claims (as "the" is used generically several times and it would 
create confusion to use "the" both in the generic sense and as an alternative to "said"). 

Additionally, claim 10 has been amended to read as a firewall "stored on a machine 
readable medium" as opposed to Edward Van Gieson's suggestion to remove "resident on a 
host computer" without replacing it with a similar phrase. Removing the phrase with no 
further modification would create a 35 U.S.C. 101 rejection as the firewall alone may be 
implemented in at least one embodiment as software (see [0029] of Applicant's specification 
which discusses the firewall being embodied as a computer program product/software or in 
the TCP/IP stack). The state machine 430 is not described in sufficient detail in the 
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Applicant's specification to lead to the conclusion that it may only be implemented in 
hardware, therefore the preamble of the claim needs to indicate that the system is not 
directed to non-statutory subject matter. 

The Examiner believes the amendments to the claims made by Examiner to be minor 
changes that do not change the thrust of the claims, but do avoid confusion and 35 U.S.C. 
101 issues as discussed above. 

The application has been amended as follows: 

What is claimed is: 

1. A method of using a firewall resident on a host computer to prevent spoofing of an 
address resolution cache of said host computer, the method comprising: 

said firewall receiving a first unsolicited message from a target computer station that 
submits a genuine address resolution for a network protocol address; 

said firewall checking independently cached address resolution information 
associated with said host computer; 

in response to determining that cached address resolution information for said 
network protocol address of said target computer station has a previously cached address 
resolution which differs from said genuine address resolution submitted by said first 
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unsolicited message, said firewall issuing a first broadcast request for network elements 
having said network protocol address to reply with address resolution information in order 
to check the authenticity of said first unsolicited message submitting said genuine address 
resolution for said network protocol address; 

in response to determining that no reply messages match said previously cached 
address resolution that would contradict said genuine address resolution in said first 
unsolicited message, said firewall determining that said first unsolicited message is not 
spoofed and permitting at least one message to pass onto said host computer which includes 
said genuine address resolution for said target computer station; 

said firewall receiving a second unsolicited message from a spoofer that submits a 
spoofed address resolution for said network protocol address of said target computer station; 

said firewall checking said independently cached address resolution information 
associated with said host computer; 

in response to determining that said previously cached address resolution information 
for said network protocol address differs from said spoofed address resolution submitted by 
said second unsolicited message, said firewall issuing a second broadcast request for network 
elements having said network protocol address to reply with address resolution information 
in order to check the authenticity of said second unsolicited message submitting said spoofed 
address resolution for said network protocol address of said target computer station; 
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in response to receiving a reply message from said target computer station that 
matches said previously cached address resolution, said firewall determining that said second 
unsolicited message is a spoofed message and blocking at least one message which includes 
said spoofed address resolution from passing onto said host computer; 

wherein said firewall is operable to protect said host computer from spoofed address 
resolution messages while permitting genuine address resolutions. 

2. The method of claim 1, wherein said network elements reside in a LAN network 
running Internet Protocol Version 4 (IPv4) using the Address Resolution Protocol (ARP) for 
resolving medium access control (MAC) addresses, and said address resolution cache is an 
ARP cache mapping IPv4 addresses to MAC addresses. 

3. The method of claim 1, wherein said network elements reside in a network that 
implements Internet Protocol Version 6 (IPv6) with Neighbor Discovery for resolving MAC 
addresses, and said address resolution cache is a Neighbor Discovery cache for mapping IPv6 
addresses to MAC addresses. 
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4. The method of claim 1 , wherein said firewall maintains a shadow copy of said address 
resolution cache, wherein said shadow copy is used as the source of said cached address 
resolution information. 

5-8. (Cancelled) 

10. A firewall stored on a machine readable medium for preventing spoofing of an 
address resolution cache of a host computer, said firewall comprising: 

a state machine in said firewall configured to check independently cached address 
resolution information in response to receiving a first unsolicited address resolution response 
message from a target computer station directed to said host computer including a submitted 
genuine address resolution for a network protocol address; 

said state machine generating a request for network elements to report an address 
resolution for said network protocol address in response to determining that said genuine 
address resolution of said first unsolicited message differs from a previously cached address 
resolution for said network protocol address in order to check the authenticity of said first 
unsolicited address resolution message submitting said submitted genuine address resolution 
for said network protocol address; 
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said state machine permitting an update of said independently cached address 
resolution information to include said submitted genuine address resolution in response to 
determining that no address resolution reply messages have said previously cached address 
resolution for said network protocol address that would contradict said submitted genuine 
address resolution of said first unsolicited message; 

said state machine configured to check said independently cached address resolution 
information in response to receiving a second unsolicited address resolution response 
message from a spoofer including a submitted spoofed address resolution for said network 
protocol address of said target computer station; 

said state machine generating a request for network elements to report an address 
resolution for said network protocol address in response to determining that said submitted 
spoofed address resolution of said second unsolicited message differs from a previously 
cached address resolution for said network protocol address in order to check the 
authenticity of said second unsolicited address resolution message submitting said submitted 
spoofed address resolution for said network protocol address; and 

said state machine blocking an update of said independently cached address 
resolution information of said address resolution cache of said host computer to include said 
submitted spoofed address resolution for said network protocol address in response to 
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determining a reply message has said previously cached address resolution in contradiction to 
said submitted spoofed address resolution of said second unsolicited message; 

wherein said state machine in said firewall protects said host computer from spoofed 
address resolution messages while permitting genuine address resolutions. 

20. (Cancelled) 

22. (Cancelled) 



The following is an examiner's statement of reasons for allowance: the prior art does 
not teach (or even suggest) allowing unsolicited address resolution information to be 
accepted by a networking system. The prior art is directed to analyzing the number of 
outstanding ARP requests in the network and judging whether or not a response is valid 
based on whether or not a request is outstanding for such information. Applicant's invention 
instead accepts unsolicited ARP responses if they are shown to contain genuine (as opposed 
to spoofed) address resolution information. 



Conclusion 
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Any comments considered necessary by applicant must be submitted no later than the 
payment of the issue fee and, to avoid processing delays, should preferably accompany the 
issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons 
for Allowance." 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Brian P. Whipple whose telephone number is (571)270-1244. 
The examiner can normally be reached on Mon-Fri (9:30 AM to 6:00 PM EST). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Bunjob Jaroenchonwanit can be reached on (571) 272-3913. The fax phone 
number for the organization where this application or proceeding is assigned is 571-273- 
8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status information 
for unpublished applications is available through Private PAIR only. For more information 
about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access 
to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 
(toll-free). If you would like assistance from a USPTO Customer Service Representative or 
access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 
571-272-1000. 
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Examiner, Art Unit 2152 
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